Content-Security-Policy:
default-src https
script-src*.example.com 'unsafe-inline' 'unsafe-eval'
object-srchttps:
style-srchttps:
img-srchttps:
media-srchttps:
frame-srchttps:
font-src https:
connect-srchttps:
report-urireport.example.com
frame-ancestors https:
base-urihttps:
form-actionhttps:
referrerorigin

Content-Security-Policy-Report-Only
default-src https
script-src*.example.com 'unsafe-inline' 'unsafe-eval'
object-srchttps:
style-srchttps:
img-srchttps:
media-srchttps:
frame-srchttps:
font-src https:
connect-srchttps:
report-urireport.example.com
frame-ancestors https:
base-urihttps:
form-actionhttps:
referrerorigin